Despite the multiple mitigations available to defend against Cross-Site Scripting (XSS) attacks, it remains a common vulnerability in 2023. This presentation aims to provide testers with a few methodological considerations when examining web applications for XSS vulnerabilities. Examples will be inspired by real life security assessments. The presentation will then conclude with a suggested layered defence-in-depth approach to mitigating XSS attacks.